CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature

Affected Versions

Symfony 2.3.0 to 2.3.34, 2.6.0 - 2.6.11, 2.7.0 - 2.7.6 versions of the Security component are affected by this security issue.

This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.

Description

A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker.

The described vulnerability allows an attacker to access a Symfony web application with the attacked user's permissions. The attack requires that the "Remember Me" login feature is used by the application. Additionally the attacker either got access to the PHPSESSID cookie value or has successfully set a new value in the user's browser. Because of its requirements the described vulnerability poses a low risk only.

Resolution

The fix migrates the session after a successful login via the "Remember Me" login feature.

The patch for this issue is available here.

Credits

I would like to thank the RedTeam Pentesting GmbH team for reporting this security issue and providing a very detailed description of the problem and how to reproduce it (from which the current advisory is based on). Thanks to Sergey Novikov and Christian Flothmann for writing the fix for the various Symfony versions.